Software Acquisition Guide Fact Sheet

The fact sheet provides an overview and frequently asked questions about the CISA Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force’s Software Acquisition Guide for Government Enterprise Consumers: Software Assurance in the Cyber-Supply Chain Risk Management (C-SCRM) Lifecycle. The Guide can assist procurement officials identify critical information needed to mitigate risks associated with third-party software and goes beyond attestation forms that are a necessary starting point to addressing risks passed to using enterprises. The Guide seeks to reduce internal or external software supply chain risks and offer insights into secure software development practices necessary for evaluating prospective suppliers and products.